CVE-2026-33414
Received Received - Intake
PowerShell Command Injection in Podman HyperV Backend Enables SYSTEM Execution

Publication date: 2026-04-14

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33414
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
podman_project podman From 4.8.0 (inc) to 5.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Podman versions 4.8.0 through 5.8.1 within the HyperV machine backend. It is a command injection flaw caused by inserting the VM image path into a PowerShell double-quoted string without proper sanitization. Because PowerShell evaluates subexpressions inside double-quoted strings, an attacker who controls the VM image path via a crafted machine name or image directory can inject and execute arbitrary PowerShell commands.

On typical Windows systems, this leads to SYSTEM-level code execution since the Podman process runs with high privileges. This vulnerability only affects Windows because the vulnerable code is exclusive to the HyperV backend. The issue was fixed in Podman version 5.8.2.

Impact Analysis

If exploited, this vulnerability allows an attacker to execute arbitrary PowerShell commands with SYSTEM-level privileges on a Windows machine running the affected Podman versions. This can lead to full system compromise, unauthorized access, data theft, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade Podman to version 5.8.2 or later, where the issue has been patched.

Avoid using untrusted or crafted machine names or image directories that could control the VM image path in the HyperV backend.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart